Google Warns of Sophisticated Social Engineering Attacks Targeting Salesforce Users
A new report from Google’s threat intelligence division has uncovered a coordinated cyberattack campaign in which a hacking group impersonated IT support personnel to infiltrate the Salesforce environments of at least 20 companies across the U.S. and Europe.
The attackers—linked to a loosely affiliated collective known as “the Com”—used social engineering tactics rather than exploiting software vulnerabilities. By posing as internal IT staff, they contacted employees via phone, tricking them into revealing login credentials or authorizing unauthorized third-party applications connected to their organization’s Salesforce systems.
After gaining access, the group quietly extracted sensitive data, often waiting weeks or even months before issuing extortion demands. Google emphasized that the breach did not stem from any inherent flaws in Salesforce’s technology. A Salesforce spokesperson confirmed this, stating: “There’s no indication the issue described stems from any vulnerability inherent to our services. Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.”
Salesforce had previously issued a warning in March, citing an increase in social engineering attempts targeting customer accounts and offering guidance to bolster security protocols. While recent intrusions have largely impacted companies in the retail sector, Google notes the campaign’s reach spans multiple industries. Major brands such as Marks & Spencer, Co-op, Adidas, Victoria’s Secret, Cartier, and North Face have all experienced cyber incidents in recent weeks, though Google says there’s insufficient evidence to definitively link these attacks to the Com group.
Google’s investigation further indicates the attackers employed infrastructure and techniques associated with known members of “the Com,” including individuals connected to the notorious Scattered Spider group. This collective is recognized for its history of high-profile breaches and impersonation-based attacks, and some members are suspected of involvement in SIM-swapping scams aimed at stealing cryptocurrency. These actors are known to coordinate through online forums and social media platforms.
In response, Google is urging businesses to prioritize employee awareness training and maintain strong internal protocols, warning that social engineering remains a major threat vector—even as technical security measures become increasingly advanced.